The best course of action for a risk practitioner who finds that the approved risk action plan has not been completed but other risk mitigation actions have been implemented is to verify the sufficiency of mitigating controls with the risk owner. This is because the risk owner is the person who is accountable for the risk and the risk response strategy, and therefore should be consulted to ensure that the alternative actions are adequate and effective in reducing the risk to an acceptable level. The other options are not the best course of action, although they may also be performed after verifying the sufficiency of mitigating controls with the risk owner. Reviewing the cost-benefit of mitigating controls, marking the risk status as unresolved within the risk register, and updating the risk register with implemented mitigating actions are secondary actions that depend on the outcome of the verification process. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.3.2, p. 193.